Cybersecurity Insights for Municipal IT Leaders

Municipalities and local governments across North America are facing more cyber threats and more technology pressure than ever before, as the push toward AI readiness and adoption accelerates.

In Canada, a 2024 study by the Canadian Internet Registration Authority found that 55% of MUSH organizations, (municipalities, universities, schools, and hospitals) experienced a cyberattack in the past year, with the average ransom paid rising to $1.13 million CAD in 2023.

In the United States, the picture is equally alarming: the FBI's IC3 reported $2.77 billion in Business Email Compromise losses and $405.6 million in government impersonation losses in 2024 alone, while the average ransomware incident cost reached $5.13 million USD in 2024, including ransom, recovery, and downtime. State and local governments accounted for the second-highest share of ransomware attacks in 2024, with over 200 reported incidents targeting U.S. municipal services.

Whether it's a city in New Brunswick or a county in Ohio, the pattern is the same: limited IT staff, aging infrastructure, expanding attack surfaces, and threat actors who know local governments often lack 24×7 security monitoring.

We’ve tackled some of the most common concerns municipalities face when assessing their cybersecurity posture. These insights will help you better understand your risks so that you can make informed decisions to protect critical infrastructure and safeguard public data.

1. Why do Cybercriminals Target Municipalities?

Municipal governments are frequent targets for two main reasons: they manage sensitive data, and they may not be as secure as other organizations.  Personal data, financial information, and confidential employment records are exactly the kinds of information cybercriminals look for since they can be sold and/or exploited for further attacks. With many municipalities facing a shortage of skilled IT personnel for incident prevention and management, and limited resources to upgrade outdated infrastructure, there is often a perfect storm for vulnerabilities to go unaddressed and threats to escalate quickly.

2. Are Smaller Municipalities Less Likely to be Targeted in Cyberattacks?

No, smaller municipalities are often just as vulnerable, if not more so, than larger and better-funded municipalities. Cybercriminals frequently see smaller communities as easier targets due to under-resourced IT environments and more limited incident response capabilities. In January 2024, the town of Westlock, Alberta was hit with a ransomware attack that affected its 1,600 residents, leading to the exposure of personal information and the need for credit monitoring and identity protection services.

Similar incidents are occurring across the U.S. as well. For example, a 2023 cyberattack on the Municipal Water Authority of Aliquippa, Pennsylvania targeted a small local utility, forcing systems offline and requiring manual operations to maintain services. Incidents like these underscore the urgent need for strong cybersecurity defenses in municipalities of all sizes.

3. Is My Municipality at Risk of a Cybersecurity Incident?

Every municipality, across Canada and the U.S., is at risk of cyber threats. In February 2024, the City of Hamilton, Ontario experienced a major cybersecurity breach that disrupted critical services. The attack impacted systems supporting 8,000 employees, nearly 600,000 residents, and roughly 7,000 business partners. By November, recovery costs had exceeded $9.6 million, with full restoration projected at $52 million.

U.S. municipalities are facing similar challenges. In February 2023, the City of Oakland, California declared a state of emergency following a ransomware attack that forced systems offline and disrupted non-emergency services across the city.  In a separate incident, the City of Dallas was hit by ransomware in 2023, taking down key systems including public safety and court operations and compromising data for more than 200,000 individuals.

Incidents like these highlight the growing risk facing municipalities on both sides of the border and underscore the need for a proactive cybersecurity approach. A partner like Bulletproof can help assess your current defenses, identify vulnerabilities, and deliver a clear, actionable roadmap to reduce risk and strengthen resilience.

To demonstrate the value of cybersecurity investments, municipalities should track:

• Service Continuity: System uptime and recovery time after incidents

• Risk Reduction: Number and severity of vulnerabilities remediated

• Cost Avoidance: Estimated costs saved through breach prevention

These metrics give municipal leadership clear visibility into the return on cybersecurity investments.

4. What is Cyber Insurance, and Does My Municipality Need It?

Cyber insurance helps cover the unique costs of cyber incidents, but it is NOT a replacement for strong cybersecurity practices.  Cyber insurance is a specialized policy that provides financial protection against cyber incident-related expenses such as legal fees, incident response, and business interruptions. For municipalities managing sensitive data and critical services, it can offer a valuable safety net. However, because policies can vary in coverage and cost, municipalities should carefully assess their risks, current defenses, and budgets before buying. 

Above all, cyber insurance is not a replacement for strong cybersecurity practices. An optimal application of cyber insurance is as part of a comprehensive strategy focused on proactive risk management and robust security measures. Many insurance providers require organizations to provide proof of security controls (e.g. MFA, backups) before they issue policies.

5. What Legal Considerations Should a Municipal Cybersecurity Plan Have?

Municipalities must navigate a complex mix of provincial, federal, and U.S. privacy laws when building a cybersecurity plan. In Canada, each province can have its own regulations governing the handling of personal information. For example, Ontario has the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Alberta the Freedom of Information and Protection of Privacy Act (FOIP), and BC the Freedom of Information and Protection of Privacy Act (FIPPA).

In addition to provincial laws, federal legislation such as the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act may apply especially when municipalities work with third-party vendors or connect with federal systems.

For municipalities operating in or serving U.S. jurisdictions, additional legal considerations apply. While there is no single federal privacy law equivalent to PIPEDA, municipalities must comply with a growing patchwork of state-level data protection and breach notification laws. Many states require timely disclosure of breaches involving personal information, and sectors such as critical infrastructure may also fall under federal guidance from agencies like the Cybersecurity and Infrastructure Security Agency (CISA).

A robust municipal cybersecurity plan must account for these overlapping and cross-border legal requirements to safeguard sensitive data and minimize the risk of legal exposure, financial penalties, and reputational damage. It is also critical for municipalities to conduct regular privacy impact assessments (PIAs) and maintain clearly defined breach detection and notification protocols.

6.  What is “Zero Trust” and Why Should You Care?

Zero Trust is a cybersecurity approach that assumes no user or device is secure, which helps protect the highly sensitive data that municipalities manage.

Zero Trust cybersecurity relies on the principle that no one, whether inside or outside a network, should be trusted by default. Effective implementation means verifying identity explicitly, granting least-privilege access, and monitoring for breaches continuously. Municipalities can reduce their risk of data breaches with this more secure model: according to Microsoft, their customers have saved over $7 million in legacy software and infrastructure since implementing a Zero Trust approach.

7.  What Does the Rise of AI Mean for Municipal Cybersecurity?

AI is moving quickly from experimentation to real-world use across municipalities. But as adoption accelerates, so does risk. AI relies on large volumes of sensitive data. Without proper controls, municipalities risk exposing citizen information, creating compliance gaps, and introducing new attack vectors. At the same time, threat actors are using AI to scale phishing, automate attacks, and exploit vulnerabilities faster than ever.  To adopt AI responsibly, municipalities must first strengthen their foundation:

• Govern and protect data before it’s used in AI

• Enforce strong identity, access, and monitoring controls

• Align AI use with privacy and regulatory requirements

• Focus on high-value, low-risk use cases

AI is a powerful opportunity but without the right security and governance, it can quickly increase risk. The goal isn’t just AI adoption. It’s secure, compliant, and confident adoption.

8. If You're Using Microsoft 365, Are You Getting The Full Value?

Many municipalities are already using Microsoft 365 but not always to its full potential. In many cases, critical security and compliance features are either underutilized or not configured properly. This can leave gaps in protection, visibility, and governance especially as organizations expand into cloud services and AI-enabled tools. Common challenges include incomplete configurations, limited use of advanced security capabilities, and a lack of ongoing optimization. As a result, municipalities may be exposed to unnecessary risk while not fully realizing the return on their existing investment.

To close these gaps, municipalities should focus on:

• Ensuring core security features like identity protection, data loss prevention, and threat detection are properly configured

• Regularly reviewing and optimizing settings as needs evolve

• Aligning Microsoft 365 capabilities with security, compliance, and operational goals

• Leveraging built-in tools to support secure collaboration and AI readiness

Maximizing Microsoft 365 isn’t about adding more technology, it’s about getting the most from what you already have.

9.  How Can We Improve Data Security and Governance Across Our Municipality?

Municipalities manage large volumes of sensitive data from citizen records to financial information but often lack visibility into where that data lives or how it’s being used. Without strong data protection and governance in place, this creates risk around data exposure, compliance gaps, and uncontrolled access especially as organizations adopt cloud and AI-driven solutions. Platforms like Microsoft Purview help municipalities gain control over their data by providing centralized visibility, classification, and protection across environments.

To strengthen data security and governance, municipalities should focus on:

• Understanding where sensitive data resides and how it flows across systems

• Classifying and labeling data to enforce consistent protection policies

• Implementing data loss prevention and insider risk controls

• Establishing governance frameworks to support compliance and audit readiness

Effective data governance isn’t just about compliance, it’s about knowing your data, protecting it, and using it safely to support operations and innovation.

10. How Can Working with an MSP and/or MSSP Benefit You?

Partnering with an MSP and/or MSSP gives municipalities access to specialized expertise and advanced technologies that may be otherwise inaccessible. When deciding whether to build up an internal IT team or collaborate with external cybersecurity experts, municipalities should consider the advantages of each approach. Insourcing talent provides direct control and a deep understanding of local needs, but requires ongoing investment in recruiting and training.

It delivers immediate access to experienced professionals and the latest tools, offering scalable and adaptable solutions tailored to municipal requirements. They can also support regulatory compliance and provide timely incident response, helping minimize damage during attacks. By working with trusted partners, municipalities can enhance their IT security posture, safeguard critical infrastructure, and free internal resources to focus on other priorities, strengthening overall resilience and public safety.